Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid. This issue was addressed in this Github issue (archived from WaybackMachine): http://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68<p>The Github issue has since been deleted, as shown here: https://github.com/plaid/link/issues/68. I'm hoping this isn't a repost, but this behavior seems ridiculous to me, and I'm hoping to bring it to wider attention (if it isn't already).<p>Edit: post flagged for some reason. Oh well.
Hi all - co-founder of Plaid here. We're in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the commenters on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person. Feel free to shoot me an email at william [at] plaid [dot] com if you want to chat/have any feedback.
Here's my main beef with Plaid: a lot of times when you use it as an end user you have no idea that you're giving one of Plaid's customers full history on all of your transactions, accounts, credit cards, loans, etc. Plaid presents you with a ToS that you will probably never read.<p>Compare that to something like "Sign-in with Google" or "Sign in with Github". They put it in plain english exactly what the website you are signing into is asking permission for and you explicitly say I'm ok with that.
Seems to have happened not because they deleted that specific issue but because they have disabled issues in general for that specific repository. Take a look at <a href="https://github.com/plaid/link" rel="nofollow">https://github.com/plaid/link</a> and see there is no "Issues" tab. When doing that, it removes all existing issues.
> Plaid imitates major bank account UIs in their login forms to make users more comfortable submitting their bank credentials to Plaid.<p>But it's even worse than that. They're training their users to ignore the security advice that their banks and other web providers have been trying to teach them for years, which makes them more vulnerable to phishing attacks. As one of the commenters on Github said[1]:<p>> <i>This is horrible, horrible, horrible, horrible, horrible practice. Any malicious actor can copy your design and present a perfectly genuine-looking Plaid input form and gather bank credentials from victims. There's absolutely no way to tell whether a Plaid input form is genuine without examining the HTML source of the page, which is far beyond the ability of almost all users. What good is your $1000 EV cert and your brand's hard-won trust if the user just sees Wacky Joe's Discount Dolphin Assholes, secured by letsencrypt.org in the area of the address bar where we've been telling them to look for a trusted name for about the last decade?</i><p>The commenter's next paragraph also bears repeating:<p>> <i>You guys need to get your act together and realize that you're not in the business of hosting Wordpress blogs or building marketing pages for the latest Barbie Rides Horses Again game somehow still coming out for the Nintendo DS. You collect bank credentials. Re-read the previous sentence. Do it again. Essentially my entire net worth is kept in my Schwab brokerage account which shares the same login as my Schwab checking account. If someone gets my Schwab credentials and I don't notice before they empty me out, my life is over. You simply cannot half-ass security best practices for the sake of UX convenience.</i><p>[1] <a href="https://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68#issuecomment-440894224" rel="nofollow">https://web.archive.org/web/20190415103059/https://github.co...</a>
<i>michaelckelly commented on Dec 7, 2018<p>@skierpage and @briangordon we appreciate your concerns, which is why our compliance team vets anybody who uses Link. As to malicious knock offs, this is a matter that most successful companies lookout for and deal with -- as we and our security team do.</i><p>This person should not be allowed to provide services that use bank APIs. Who should do the preventing? Banks.
Plaid needs to be exposed as one of the most unethical companies in SV. If people are worried about online privacy then they should really be worried about a company that is so deceiving and makes it basically impossible to revoke permissions on something as sensitive as access to your bank account and transaction history once granted.
Hah. This is the only company that has ever f—ked me over. I’m a self-employed consultant who flew out to SF to work with them and was told the gig was off the working-day before we were set to begin. My lawyer said I absolutely had a case but I’d need to be prepared to open an international lawsuit against them (I’m UK-based) and I just couldn’t muster the effort. They got away with it.<p>They also quite cheerfully asked me ‘Hey! Next time you’re in the area we’d love to look at working together?’ Classy.
Not to downplay the security implications here, but Plaid has pretty much changed finance. It’s a straightforward case of trading security / privacy for functionality. Apps like Venmo, Robinhood, Wealthfront, and most every other financial startup would not exist without Plaid.
This is the first time I'm hearing of Plaid and is it actually something banks have signed-off on and are ok with? This whole thing looks to make for a bad precedence.
Since HN doesn’t turn URLs in text submissions into clickable links like it does in comments, here are the URLs given for your clicking convenience.<p><a href="http://web.archive.org/web/20190415103059/https://github.com/plaid/link/issues/68" rel="nofollow">http://web.archive.org/web/20190415103059/https://github.com...</a><p><a href="https://github.com/plaid/link/issues/68" rel="nofollow">https://github.com/plaid/link/issues/68</a>
I feel it's worth bearing in mind that this is normal to the point that the financial regulator in the UK standardised the activity as part of the EU-wide PSD2. It is being phased out in favour of open banking in the next couple of years, now that there's a requirement for more OAuth-like approaches. (In fact, Plaid just launched in the UK on the open banking APIs)<p>Banks are well aware that this is a thing and they're not that bothered.<p>If you want to see this improve, maybe push on US regulators to formalise it?
Plaid really do seem a little dodgy to me. In the UK they are effectively offering a PSD2-API forwarding service, which seems very much against the spirit of PSD2 and the open banking initiatives.
This is depressing. It feels to me like the number of tech unicorns that have been caught red handed doing something immoral/unethical/illegal is starting to outweigh the ones that haven't.